diff --git a/.github/workflows/update-action-tag.yml b/.github/workflows/update-action-tag.yml index cfdcd3b..6a14705 100644 --- a/.github/workflows/update-action-tag.yml +++ b/.github/workflows/update-action-tag.yml @@ -41,7 +41,7 @@ jobs: - name: Create a new signed tag uses: ./git-sign with: - command: git tag -a \"v${{ env.VERSION }}\" -m \"Update tag\" -s --local-user=${{ env.GPG_KEY_ID }} + command: git tag -a "v${{ env.VERSION }}" -m "Update tag" -s --local-user=${{ env.GPG_KEY_ID }} - name: Push the tag run: diff --git a/.github/workflows/version.txt b/.github/workflows/version.txt index d8263ee..e440e5c 100644 --- a/.github/workflows/version.txt +++ b/.github/workflows/version.txt @@ -1 +1 @@ -2 \ No newline at end of file +3 \ No newline at end of file diff --git a/README.md b/README.md index cd93505..bb3fce6 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ This action will perform a checkout with the GitHub App credentials. ```yaml - name: secure-checkout - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} @@ -65,13 +65,13 @@ used with the `gh` cli. There is a common setup action that is meant to be run before all other actions. It handles fetching secrets from AWS Secrets Manager, -signing into Artifactory, setting up Garasign credentials, and +signing into ECR, setting up Garasign credentials, and setting up environment variables used in other actions. The action requires `id-token: write` permissions. ```yaml - name: setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: ${{ vars.AWS_REGION_NAME }} @@ -84,9 +84,8 @@ The action requires `id-token: write` permissions. > `actions/checkout action` > > The following keys MUST be defined in the ``AWS_SECRET_ID`` vault: -> `artifactory-username`, `artifactory-password`, `garasign-username` -> `garasign-password`, `gpg-key-id`. If uploading to an S3 bucket, also define -> `release-assets-bucket`. +> `garasign-username`, `garasign-password`, `gpg-key-id`. +> If uploading to an S3 bucket, also define `release-assets-bucket`. ## Signing tools @@ -98,17 +97,17 @@ Use this action to create signed git artifacts: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create signed commit - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}" - name: Create signed tag - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a " ``` @@ -122,7 +121,7 @@ an argument and update the version accordingly. ```yaml - name: Bump version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: "bash ./my-bump-version-script.sh" @@ -136,7 +135,7 @@ tag message format if desired. ```yaml - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ inputs.version }} ``` @@ -147,12 +146,12 @@ This action is used to create detached signatures for files: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: somefile.ext ``` @@ -164,7 +163,7 @@ You can also supply a glob pattern to sign a group of files: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -186,12 +185,12 @@ It will create the file `$S3_ASSETS/authorized_publication.txt` ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Authorized Publication Report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: mongodb-labs/drivers-github-tools/authorized-pub@v3 with: product_name: Mongo Python Driver release_version: ${{ github.ref_name }} @@ -205,12 +204,12 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create SBOM - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: sbom_in_path: sbom.json ``` @@ -223,12 +222,12 @@ working directory. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Export Code Scanning Alerts - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3 ``` ### Compliance Report @@ -238,12 +237,12 @@ called `ssdlc_compliance_report.md`. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate compliance report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + uses: mongodb-labs/drivers-github-tools/compliance-report@v3 ``` There are several ways to specify the security report: @@ -260,12 +259,12 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate SSDLC Reports - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: winkerberos release_version: ${{ inputs.version }} @@ -280,12 +279,12 @@ be uploaded to the product's S3 bucket: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: product_name: @@ -305,12 +304,12 @@ prerelease version, and push the changes. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Release Branch - uses: mongodb-labs/drivers-github-tools/create-branch@v2 + uses: mongodb-labs/drivers-github-tools/create-branch@v3 with: # user inputs branch: ... @@ -333,7 +332,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -384,11 +383,11 @@ post-publish: security-events: write steps: - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2 + - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3 with: version: ${{ inputs.version }} following_version: ${{ inputs.following_version }} @@ -411,7 +410,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -460,11 +459,11 @@ post-publish: security-events: write steps: - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v2 + - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3 with: following_version: ${{ inputs.following_version }} version_bump_script: ./.github/scripts/bump-version.sh diff --git a/bump-version/action.yml b/bump-version/action.yml index e7528c3..341824d 100644 --- a/bump-version/action.yml +++ b/bump-version/action.yml @@ -16,9 +16,9 @@ inputs: working_directory: description: The working directory for the version bump default: "." - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git runs: using: composite @@ -36,10 +36,10 @@ runs: export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst) echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: - command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - artifactory_image: ${{ inputs.artifactory_image }} + command: git commit -a -m "${{ env.COMMIT_MESSAGE }}" -s --gpg-sign=${{ env.GPG_KEY_ID }} + ecr_repository: ${{ inputs.ecr_repository }} - name: Push the commit to the source branch shell: bash -eux {0} run: | diff --git a/create-branch/action.yml b/create-branch/action.yml index a322a19..45c2c79 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -23,15 +23,10 @@ inputs: release_workflow_path: description: The path to the release workflow file default: .github/workflows/release.yml - artifactory_image: - description: Image to use for artifactory - default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local - # Unused inputs, to be removed in V3. - sbom_file_path: - description: The path of the sbom-lite file - default: sbom.json - silk_group_prefix: - description: The prefix to use for the silk asset group, defaults to the repo name + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git + runs: using: composite steps: @@ -43,11 +38,11 @@ runs: SBOM_FILE_PATH: ${{ inputs.sbom_file_path }} RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} run: ${{ github.action_path }}/create-branch.sh - - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + - uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: ${{ inputs.version_bump_script }} commit_template: "Prep branch ${{ inputs.branch_name }}" - push_commit: ${{ inputs.push_changes }} \ No newline at end of file + push_commit: ${{ inputs.push_changes }} + ecr_repository: ${{ inputs.ecr_repository }} \ No newline at end of file diff --git a/full-report/action.yml b/full-report/action.yml index 2d4c16b..ee8b8ee 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -31,36 +31,32 @@ inputs: description: The distribution filename or glob pattern token: description: The GitHub access token - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project runs: using: composite steps: - name: Generate Authorized Publication Report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: mongodb-labs/drivers-github-tools/authorized-pub@v3 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.release_version }} filenames: ${{ inputs.dist_filenames }} token: ${{ inputs.token }} - name: Generate SBOM File - # not all packages have third party dependencies, and so not all packages integrate with silk. - if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + # not all packages have third party dependencies, and so not all packages produce sboms. + if: ${{ inputs.sbom_in_path }} + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: - silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - name: Generate Sarif File - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3 with: ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }} output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json - name: Generate Compliance Report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + uses: mongodb-labs/drivers-github-tools/compliance-report@v3 with: release_version: ${{ inputs.release_version }} security_report_location: ${{ inputs.security_report_location }} diff --git a/git-sign/action.yml b/git-sign/action.yml index 5ca4b03..e7eae2b 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -4,20 +4,28 @@ inputs: command: description: "Command to run inside the container" required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git runs: using: composite steps: - name: "Run git command" + env: + ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} + COMMAND: ${{ inputs.command }} run: | - podman run \ + WORKING_DIR=/home/git-checkout + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ - /bin/bash -c "gpgloader && ${{ inputs.command }}" + -v $(pwd):$WORKING_DIR \ + -w $WORKING_DIR \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ + /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${COMMAND}" shell: bash diff --git a/golang/pre-publish/action.yml b/golang/pre-publish/action.yml index 2315f8a..fa7efbe 100644 --- a/golang/pre-publish/action.yml +++ b/golang/pre-publish/action.yml @@ -14,14 +14,14 @@ inputs: runs: using: composite steps: - - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + - uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: "go run ${{ github.action_path }}/bump-version.go" commit_template: "BUMP v${VERSION}" # Never push commit, we still need to merge up if a push is requested push_commit: false - - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + - uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: v${{ inputs.version }} push_tag: ${{ inputs.push_changes }} diff --git a/golang/publish/action.yml b/golang/publish/action.yml index 5ffb28e..a942f02 100644 --- a/golang/publish/action.yml +++ b/golang/publish/action.yml @@ -15,10 +15,6 @@ inputs: default: "true" token: description: The GitHub token - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false runs: using: composite @@ -28,7 +24,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: mongo-go-driver release_version: ${{ inputs.version }} @@ -47,7 +43,7 @@ runs: GH_TOKEN: ${{ inputs.token }} run: ./publish.sh - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ inputs.version }} product_name: mongo-go-driver diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index e4765fb..386e0e7 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -4,9 +4,12 @@ inputs: filenames: description: "File name(s) to sign, can be a glob pattern" required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-gpg + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git runs: using: composite @@ -23,13 +26,16 @@ runs: echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash + env: + ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} run: | - podman run \ + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" diff --git a/node/generate_release.mjs b/node/generate_release.mjs index f07ab1a..7246f97 100644 --- a/node/generate_release.mjs +++ b/node/generate_release.mjs @@ -7,12 +7,12 @@ const __dirname = dirname(fileURLToPath(import.meta.url)); const args = process.argv.slice(2); if (!(args.length === 3 || args.length === 4)) { console.error( - `usage: generate_release.js `, + `usage: generate_release.js `, ); process.exit(1); } -const [npmPackage, branch, tag, assetGroup] = args; +const [npmPackage, branch, tag, sbomInPath, konduktoSubProject] = args; const isNative = npmPackage === "kerberos" || npmPackage === "mongodb-client-encryption"; @@ -32,7 +32,8 @@ const generated = template .replaceAll("RELEASE_TAG", tag) .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[npmPackage] ?? "") .replaceAll("IGNORE_INSTALL_SCRIPTS", isNative) - .replaceAll("SILK_ASSET_GROUP", assetGroup ? `'${assetGroup}'` : "''"); + .replaceAll("SBOM_IN_PATH", sbomInPath ? `'${sbomInPath}'` : "''") + .replaceAll("KONDUKTO_SUB_PROJECT", konduktoSubProject ? `'${konduktoSubProject}'` : "''") const project = EVERGREEN_PROJECTS[npmPackage]; if (!project) { diff --git a/node/release_template.yml b/node/release_template.yml index 40fb559..18dcfe7 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 + uses: mongodb-labs/drivers-github-tools/node/setup@v3 with: ignore_install_scripts: IGNORE_INSTALL_SCRIPTS - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 with: npm_package_name: RELEASE_PACKAGE - name: actions/compress_sign_and_upload - uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v3 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -59,19 +59,20 @@ jobs: - name: Copy sbom file to release assets shell: bash - if: ${{ SILK_ASSET_GROUP == '' }} + if: ${{ SBOM_IN_PATH == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets - if: ${{ SILK_ASSET_GROUP != '' }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + if: ${{ SBOM_IN_PATH != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: - silk_asset_group: SILK_ASSET_GROUP + sbom_in_path: SBOM_IN_PATH + kondukto_sub_project: KONDUKTO_SUB_PROJECT sbom_file_name: sbom.json - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: release_version: ${{ env.package_version }} product_name: RELEASE_PACKAGE @@ -83,7 +84,7 @@ jobs: evergreen_project: EVERGREEN_PROJECT evergreen_commit: ${{ env.commit }} - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ env.package_version }} product_name: RELEASE_PACKAGE @@ -97,7 +98,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 + uses: mongodb-labs/drivers-github-tools/node/setup@v3 - run: npm publish --provenance --tag=RELEASE_TAG if: ${{ needs.release_please.outputs.release_created }} diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index 72d8bdb..9f20dee 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -3,13 +3,13 @@ description: "Compresses package and signs with garasign and uploads to GH relea inputs: aws_role_arn: - description: "AWS role input for drivers-github-tools/gpg-sign@v2" + description: "AWS role input for drivers-github-tools/gpg-sign@v3" required: true aws_region_name: - description: "AWS region name input for drivers-github-tools/gpg-sign@v2" + description: "AWS region name input for drivers-github-tools/gpg-sign@v3" required: true aws_secret_id: - description: "AWS secret id input for drivers-github-tools/gpg-sign@v2" + description: "AWS secret id input for drivers-github-tools/gpg-sign@v3" required: true npm_package_name: description: "The name for the npm package this repository represents" @@ -40,12 +40,12 @@ runs: mkdir ${{ inputs.artifact_directory }} - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 with: npm_package_name: ${{ inputs.npm_package_name }} - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} @@ -68,7 +68,7 @@ runs: echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: ${{ env.FILES_TO_SIGN }} env: diff --git a/python-labs/post-publish/action.yml b/python-labs/post-publish/action.yml index 2622645..fc672b9 100644 --- a/python-labs/post-publish/action.yml +++ b/python-labs/post-publish/action.yml @@ -69,7 +69,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python-labs/pre-publish/action.yml b/python-labs/pre-publish/action.yml index b12b7da..831bc1f 100644 --- a/python-labs/pre-publish/action.yml +++ b/python-labs/pre-publish/action.yml @@ -53,7 +53,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV rm -rf dist - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index ef0fb3c..126f188 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -36,10 +36,6 @@ inputs: dry_run: description: Whether this is a dry run required: true - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false runs: using: composite @@ -70,7 +66,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Create detached signature for dist files - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: dist/* - name: Get the evergreen commit @@ -78,7 +74,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: ${{ inputs.product_name }} release_version: ${{ env.VERSION }} @@ -86,11 +82,10 @@ runs: dist_filenames: dist/* kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - silk_asset_group: ${{ inputs.silk_asset_group }} evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} token: ${{ inputs.token }} - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ env.VERSION }} product_name: ${{ inputs.product_name }} @@ -121,7 +116,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python/pre-publish/action.yml b/python/pre-publish/action.yml index e4e2a4e..c1ab3c6 100644 --- a/python/pre-publish/action.yml +++ b/python/pre-publish/action.yml @@ -63,7 +63,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Set version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: ${{ inputs.version }} with: version: ${{ env.VERSION }} @@ -71,7 +71,7 @@ runs: working_directory: ${{ inputs.working_directory }} push_commit: ${{ env.PUSH_CHANGES }} - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/ruby/build/action.yml b/ruby/build/action.yml new file mode 100644 index 0000000..5619680 --- /dev/null +++ b/ruby/build/action.yml @@ -0,0 +1,83 @@ +name: Build Gem +description: Build a gem for a DBX Ruby project +inputs: + app_id: + description: The APP_ID defined for this project + required: true + app_private_key: + description: The APP_PRIVATE_KEY defined for this project + required: true + artifact: + description: The name to give the generated artifact (e.g. "ruby" or "jruby") + required: false + default: ruby + bundler_cache_version: + description: The cache-version to use for the bundler cache + required: false + default: '0' + gem_name: + description: The name (sans extension) of the gemspec file (e.g. "mongo") + required: true + ref: + description: The reference to checkout (branch, tag, sha, etc) + required: true + ruby_version: + description: The version of Ruby to use (see setup-ruby/action.yml) + default: '3.2' + required: false + rubygems_version: + description: The version of Rubygems to use (see setup-ruby/action.yml) + required: false + default: latest + +runs: + using: composite + steps: + - name: Check out the repository + # 58501b85eae697e451b5d1d7dba53f69f65d1909 => the 'v2' tag as of 2025-07-28 + uses: mongodb-labs/drivers-github-tools/secure-checkout@58501b85eae697e451b5d1d7dba53f69f65d1909 + with: + app_id: ${{ inputs.app_id }} + private_key: ${{ inputs.app_private_key }} + ref: ${{ inputs.ref }} + submodules: true + + - name: Setup Ruby + # bb6434c747fa7022e12fa1cae2a0951fcffcff26 => the 'v1' branch as of 2025-07-28 + uses: ruby/setup-ruby@a9bfc2ecf3dd40734a9418f89a7e9d484c32b990 + with: + ruby-version: ${{ inputs.ruby_version }} + rubygems: ${{ inputs.rubygems_version }} + bundler-cache: true + cache-version: ${{ inputs.bundler_cache_version }} + + - name: Get the release version + id: release_version + shell: bash + run: echo "version=$(bundle exec rake version)" >> "$GITHUB_OUTPUT" + + - name: Get the gem file name + shell: bash + id: gem_name + env: + GEM_NAME: ${{ inputs.gem_name }} + ACTION_PATH: ${{ github.action_path }} + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: echo "name=$(ruby ${ACTION_PATH}/gem_name.rb ${GEM_NAME} ${RELEASE_VERSION})" >> "$GITHUB_OUTPUT" + + - name: Build the gem + shell: bash + env: + GEM_NAME: ${{ inputs.gem_name }} + GEM_FILE_NAME: ${{ steps.gem_name.outputs.name }} + run: | + bundle exec rake build GEMSPEC="${GEM_NAME}.gemspec" GEM_FILE_NAME="${GEM_FILE_NAME}" + + - name: Save the generated gem file for later + # ea165f8d65b6e75b540449e92b4886f43607fa02 => the 'v4' tag as of 2025-07-28 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + with: + name: ${{ inputs.artifact }} + path: ${{ steps.gem_name.outputs.name }} + retention-days: 1 + overwrite: true diff --git a/ruby/build/gem_name.rb b/ruby/build/gem_name.rb new file mode 100644 index 0000000..a99284a --- /dev/null +++ b/ruby/build/gem_name.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +# This script generates the name of a gem file based on the provided +# gem name and version. It takes into account whether it is running +# under JRuby to append "-java" to the gem name if necessary. +# +# Usage: +# ruby gem_name.rb + +if ARGV.length != 2 + puts "Usage: ruby gem_name.rb " + exit 1 +end + +gem_name = ARGV.first +gem_version = ARGV.last + +base_name = "#{gem_name}-#{gem_version}" +base_name = "#{base_name}-java" if defined?(JRUBY_VERSION) + +puts "#{base_name}.gem" diff --git a/ruby/cleanup/action.yml b/ruby/cleanup/action.yml index 1f144a1..e6801f1 100644 --- a/ruby/cleanup/action.yml +++ b/ruby/cleanup/action.yml @@ -15,7 +15,7 @@ runs: using: composite steps: - name: 'Check out the repository' - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ inputs.app_id }} private_key: ${{ inputs.app_private_key }} diff --git a/ruby/pr-check/action.yml b/ruby/pr-check/action.yml new file mode 100644 index 0000000..e43308d --- /dev/null +++ b/ruby/pr-check/action.yml @@ -0,0 +1,113 @@ +# PRs are only eligible for release if they are merged and have +# the `release-candidate` label. +# +# The only events allowed to trigger this action are: +# - push (in which case the commit sha is used to find the corresponding +# PR) +# - workflow_dispatch (in which case the PR is found from the inputs +# on the event) + +name: PR Check +description: Check that a PR is eligible for release + +outputs: + message: + description: The body of the pull request that is being released. + value: ${{ steps.check_pr.outputs.message }} + ref: + description: The ref of the pull request that is being released. + value: ${{ steps.check_pr.outputs.ref }} + +runs: + using: composite + steps: + - name: "Check PR Eligibility" + id: check_pr + # 60a0d83039c74a4aee543508d2ffcb1c3799cdea => 'v7' tag as of 2025-07-28 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea + with: + script: | + let pr; + + // was this triggered by a push event? + if (context.eventName == 'push') { + // if so, we need to find the PR that corresponds to the commit + // that was pushed. + // + // because only maintainers can push to protected branches, + // we can assume the user has the correct permissions to do + // this. + const { data: listing } = await github.rest.repos.listPullRequestsAssociatedWithCommit({ + owner: context.repo.owner, + repo: context.repo.repo, + commit_sha: context.payload.after, + }); + + if (listing.length == 0) { + throw new Error(`Workflow aborted: No pull request found for the pushed commit (${context.payload.after}).`); + } + + const response = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: listing[0].number, + }); + + pr = response.data; + + // if it wasn't triggered by a push event, was it triggered by + // a workflow_dispatch event? + } else if (context.eventName == 'workflow_dispatch') { + // it is technically possible for users with only write access + // to trigger workflows; we need to make sure that the user + // who triggered this has either admin or maintain access to the + // repository. + const username = context.triggering_actor || context.actor; + + const { data: perms } = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: context.repo.owner, + repo: context.repo.repo, + username, + }); + + if (perms.role_name !== 'admin' && perms.role_name !== 'maintain') { + throw new Error(`User ${username} must have 'admin' or 'maintain' role to initiate the release process. (${perms.role_name})`); + } + + // if so, we grab the PR with the number that was passed in with + // the inputs. + const number = context.payload.inputs.pr; + if (!number) { + throw new Error('Workflow aborted: No pull request number provided. (need `pr` input)'); + } + + const response = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: number, + }); + + pr = response.data; + + // workflow was triggered by an unrecognized/unsupported event + } else { + throw new Error(`Workflow aborted: Unsupported event type: ${context.eventName}.`); + } + + if (!pr) { + throw new Error('No pull request found for the triggered event.'); + } + + if (!pr.merged) { + throw new Error('Pull request is not merged.'); + } + + if (!pr.labels.some(label => label.name == 'release-candidate')) { + throw new Error('Pull request is not a release candidate.'); + } + + console.log('body: >>', pr.body, '<<'); + console.log('ref: >>', pr.merge_commit_sha, '<<'); + + core.setOutput('message', pr.body); + core.setOutput('ref', pr.merge_commit_sha); diff --git a/ruby/publish/action.yml b/ruby/publish/action.yml index 711e99d..d5d71c7 100644 --- a/ruby/publish/action.yml +++ b/ruby/publish/action.yml @@ -1,5 +1,5 @@ name: Publish Ruby -description: Generate and publish gems, signatures, and assets for MongoDB Ruby projects +description: Publish gems, signatures, and assets for MongoDB Ruby projects inputs: app_id: description: The APP_ID defined for this project @@ -32,107 +32,179 @@ inputs: product_id: description: The identifier of the product being published (e.g. "mongo-ruby-driver") required: true - release_message_template: - description: The template for the release message. Use "{0}" in the text to refer to the current version. + ref: + description: The reference to checkout (branch, tag, sha, etc) + required: true + release_message: + description: The (markdown-formatted) text to post as the description of the new release required: true rubygems_version: description: The version of Rubygems to use (see setup-ruby/action.yml) required: false default: latest - silk_asset_group: - description: The Silk asset group for the project - required: true + ruby_version: + description: The version of Ruby to use (see setup-ruby/action.yml) + default: '3.2' + required: false + sbom_in_path: + description: The path of the input sbom file. + default: sbom.json + kondukto_sub_project: + description: The Kondukto sub-project name (appended to the branch name) + required: false runs: using: composite steps: - name: Check out the repository - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ inputs.app_id }} private_key: ${{ inputs.app_private_key }} + ref: ${{ inputs.ref }} + submodules: true - name: Setup Ruby - uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1 + # bb6434c747fa7022e12fa1cae2a0951fcffcff26 => the 'v1' branch as of 2025-07-28 + uses: ruby/setup-ruby@bb6434c747fa7022e12fa1cae2a0951fcffcff26 with: - ruby-version: '3.2' + ruby-version: ${{ inputs.ruby_version }} rubygems: ${{ inputs.rubygems_version }} bundler-cache: true cache-version: ${{ inputs.bundler_cache_version }} - name: Get the release version + id: release_version shell: bash - run: echo "RELEASE_VERSION=$(bundle exec rake version)" >> "$GITHUB_ENV" + run: echo "version=$(bundle exec rake version)" >> "$GITHUB_OUTPUT" - name: Setup GitHub tooling for DBX Drivers - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_role_arn: ${{ inputs.aws_role_arn }} aws_region_name: ${{ inputs.aws_region_name }} aws_secret_id: ${{ inputs.aws_secret_id }} - - name: Set output gem file name - shell: bash - run: | - echo "GEM_FILE_NAME=${{ inputs.gem_name }}-${{ env.RELEASE_VERSION }}.gem" >> "$GITHUB_ENV" - - - name: Build the gem - shell: bash - run: | - gem build --output=${{ env.GEM_FILE_NAME }} ${{ inputs.gem_name }}.gemspec + - name: Fetch the gem artifacts + # d3f86a106a0bac45b974a628896c90dbdf5c8093 => the 'v4' tag as of 2025-07-28 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + merge-multiple: true - - name: Sign the gem - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + - name: Sign the gems + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: - filenames: '${{ env.GEM_FILE_NAME }}' + filenames: '*.gem' - name: Generate SSDLC Reports - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: ${{ inputs.product_name }} - release_version: ${{ env.RELEASE_VERSION }} - dist_filenames: ${{ env.GEM_FILE_NAME }} - silk_asset_group: ${{ inputs.silk_asset_group }} + release_version: ${{ steps.release_version.outputs.version }} + dist_filenames: '*.gem' + kondukto_sub_project: ${{ inputs.kondukto_sub_project }} + sbom_in_path: ${{ inputs.sbom_in_path }} + + - name: Look for existing tag + id: tag_exists + shell: bash + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: | + if git rev-parse "v${RELEASE_VERSION}" >/dev/null 2>&1; then + echo "Tag v${RELEASE_VERSION} already exists." + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "Tag v${RELEASE_VERSION} does not exist." + echo "exists=false" >> "$GITHUB_OUTPUT" + fi - name: Create the tag - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 + if: steps.tag_exists.outputs.exists == 'false' with: - version: ${{ env.RELEASE_VERSION }} + version: ${{ steps.release_version.outputs.version }} tag_template: "v${VERSION}" tag_message_template: "Release tag for v${VERSION}" - - name: Create a new release + - name: Look for existing release + id: release_exists shell: bash - run: gh release create v${{ env.RELEASE_VERSION }} --title ${{ env.RELEASE_VERSION }} --generate-notes --draft - - - name: Capture the changelog + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: | + if gh release view "v${RELEASE_VERSION}" >/dev/null 2>&1; then + echo "Release v${RELEASE_VERSION} already exists." + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "Release v${RELEASE_VERSION} does not exist." + echo "exists=false" >> "$GITHUB_OUTPUT" + fi + + - name: Write release notes to file shell: bash - run: gh release view v${{ env.RELEASE_VERSION }} --json body --template '{{ .body }}' >> changelog + env: + RELEASE_NOTES: ${{ inputs.release_message }} + run: | + # identifier is intentionally obscure to avoid potential conflicts + # with supplied text from the release notes themselves. + cat <<__RELEASE_NOTES_IKDJAIELD__ > release_notes.txt + ${RELEASE_NOTES} + __RELEASE_NOTES_IKDJAIELD__ - - name: Prepare release message + - name: Create a new release + if: steps.release_exists.outputs.exists == 'false' shell: bash - run: | - echo "${{ format(inputs.release_message_template, env.RELEASE_VERSION) }}" > release-message - cat changelog >> release-message + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: gh release create v${RELEASE_VERSION} --title ${RELEASE_VERSION} --notes-file release_notes.txt --draft - - name: Update release information + - name: Else update the existing release + if: steps.release_exists.outputs.exists == 'true' shell: bash - run: | - echo "RELEASE_URL=$(gh release edit v${{ env.RELEASE_VERSION }} --notes-file release-message)" >> "$GITHUB_ENV" + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: gh release edit v${RELEASE_VERSION} --notes-file release_notes.txt - name: Upload release artifacts shell: bash - run: gh release upload v${{ env.RELEASE_VERSION }} ${{ env.GEM_FILE_NAME }} ${{ env.RELEASE_ASSETS }}/${{ env.GEM_FILE_NAME }}.sig + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + RELEASE_ASSETS: ${{ env.RELEASE_ASSETS }} + run: gh release upload --clobber v${RELEASE_VERSION} *.gem ${RELEASE_ASSETS}/*.sig - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: - version: ${{ env.RELEASE_VERSION }} + version: ${{ steps.release_version.outputs.version }} product_name: ${{ inputs.product_id }} dry_run: ${{ inputs.dry_run }} + - name: Look for existing gem + id: gem_exists + shell: bash + env: + GEM_NAME: ${{ inputs.gem_name }} + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: | + if gem search --remote ${GEM_NAME} --version ${RELEASE_VERSION} | grep -q "${RELEASE_VERSION}"; then + echo "Gem ${GEM_NAME} version ${RELEASE_VERSION} already exists." + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "Gem ${GEM_NAME} version ${RELEASE_VERSION} does not exist." + echo "exists=false" >> "$GITHUB_OUTPUT" + fi + - name: Publish the gem - uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1 - if: inputs.dry_run == 'false' + # ebe1ec66bd8d2c709ac29aa2b43438d450e7a0a6 => the 'v1' branch as of 2025-07-28 + uses: rubygems/release-gem@ebe1ec66bd8d2c709ac29aa2b43438d450e7a0a6 + if: inputs.dry_run == 'false' && steps.gem_exists.outputs.exists == 'false' with: await-release: false + + - name: Publish the release + if: inputs.dry_run == 'false' + shell: bash + env: + RELEASE_VERSION: ${{ steps.release_version.outputs.version }} + run: gh release edit v${RELEASE_VERSION} --draft=false diff --git a/sbom/action.yml b/sbom/action.yml index 9cb38d8..b167869 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -10,13 +10,12 @@ inputs: kondukto_sub_project: description: The Kondukto sub-project name (appended to the branch name) required: false - artifactory_image: - description: Image to use for artifactory - default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/silkbomb:2.0 runs: using: composite @@ -26,7 +25,8 @@ runs: env: SBOM_IN_PATH: ${{ inputs.sbom_in_path }} KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} + ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | set -eu @@ -37,14 +37,14 @@ runs: fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." echo "Updating SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ - ${ARTIFACTORY_IMAGE} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ - ${ARTIFACTORY_IMAGE} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME} echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done." \ No newline at end of file diff --git a/setup/action.yml b/setup/action.yml index 617c69e..2a14145 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -10,15 +10,30 @@ inputs: aws_secret_id: description: "The name of the aws secret to use" required: true - artifactory_username: - description: "The artifactory username to be used" - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com + ecr_registry_id: + description: "The ECR registry id to use" + default: "901841024863" + ecr_role_arn: + description: "The ECR role arn to use" + default: "arn:aws:iam::901841024863:role/ecr-role-gha-ro" + ecr_region: + description: "The ECR region to use" + default: us-east-1 runs: using: composite steps: + # Docker login must be done before input role login so we remain logged in for S3 upload. + - name: configure aws credentials for ECR + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: ${{ inputs.ecr_role_arn }} + role-session-name: release-session + aws-region: ${{ inputs.ecr_region }} + - name: Log in to ECR + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 + with: + registries: "${{ inputs.ecr_registry_id }}" - name: configure aws credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 with: @@ -36,7 +51,4 @@ runs: id: setup run: ${{ github.action_path }}/setup.sh env: - ARTIFACTORY_USERNAME_INPUT: ${{ inputs.artifactory_username }} - ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} - AWS_SECRET_ID: ${{ inputs.aws_secret_id }} + AWS_SECRET_ID: ${{ inputs.aws_secret_id }} \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index 7cc98d0..f2d3c66 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -10,14 +10,6 @@ for var in $vars; do declare $new_key=${!var} done -echo "::group::Set up artifactory" -ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME:-} -if [ -n "${ARTIFACTORY_USERNAME_INPUT}" ]; then - ARTIFACTORY_USERNAME=$ARTIFACTORY_USERNAME_INPUT -fi -echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY -echo "::endgroup::" - echo "Set up envfile for garasign" GARASIGN_ENVFILE=/tmp/garasign-envfile cat << EOF > $GARASIGN_ENVFILE @@ -57,7 +49,6 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} -ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-} diff --git a/tag-version/action.yml b/tag-version/action.yml index 4b5e402..9a4d69b 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -13,9 +13,9 @@ inputs: push_tag: description: Whether to push the tag default: "true" - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git runs: using: composite @@ -33,10 +33,10 @@ runs: export TAG_MESSAGE=$(echo "${{ inputs.tag_message_template }}" | envsubst) echo "TAG_MESSAGE=$TAG_MESSAGE" >> $GITHUB_ENV - name: Tag the version - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: - command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }} - artifactory_image: ${{ inputs.artifactory_image }} + command: git tag -a "${{ env.TAG }}" -m "${{ env.TAG_MESSAGE }}" -s --local-user=${{ env.GPG_KEY_ID }} + ecr_repository: ${{ inputs.ecr_repository }} - name: Verify the tag shell: bash -eux {0} run: | diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000..fff6c38 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,7 @@ +rules: + unpinned-uses: + config: + policies: + actions/checkout: hash-pin + actions/*: ref-pin + mongodb-labs/*: ref-pin \ No newline at end of file